The fundamental problem with two factor (2FA) session authentication is that the approach is vulnerable to Man in the Middle and Man in the Browser attacks. 2FA requires that customers present not only a password (something they know) when they log into online banking, but also demonstrate that they possess an authentication device (something they have). Devices normally take the form of a key fob which displays a number that changes every few seconds, but another approach is to require the customer to insert their bank card into a stand-alone reader. Unfortunately, there is nothing to stop an attacker using a 2FA authentication code to commit fraud.
In the classic Man in the Middle attack, the customer is coerced to visit the attacker's website, normally by a phishing email. The website will look identical to the legitimate bank site, but when the customer enters their account details and one-time-password, the malicious software will immediately connect to the real bank site and use the details to impersonate the customer and make a fraudulent transaction. Even mutual authentication does not defend against this attack, since the attacker also is able to see what the bank would normally show, making the customer think that they are communicating directly with the bank.
The Man in the Browser attack is an enhancement of the Man in the Middle, already seen in the wild. It is designed to work even against customers who are careful enough to not enter their bank details on sites visited from links in emails. In this attack, the fraudster installs malware on the customer's PC, either via email or a drive-by download (even with up to date anti-virus software, 80% of new malware is undetected). Then, when the customer makes a transfer using their normal online banking, the malware inside the web browser silently manipulates the amount and destination.
Both the of these attacks circumvent one-time-passwords, since 2FA only authenticates the session, not the transaction. The Man in the Browser attack is particularly hard for the bank to detect, since from their perspective the customer is visiting from their normal Internet connection and web browser. The user is also powerless to spot the attack since the URL will be correct and the certificate will be valid, it is only the content of the web page which is being modified.
The solution to these attacks is transaction authentication. Here, the person accessing the bank website proves not only that they know a one-time-password, but also that the real customer has seen the details for the transaction. In a Man in the Middle or Man in the Browser scenario, if any transaction details are modified, the authentication code will be incorrect and the bank will refuse the transfer. However, in order for this to be reliable, it must be easy to use.
There are three main options available for transaction authentication: CAP, two-channel, and Cronto's visual cryptograms. Cronto's visual signing products are designed to give strong security assurances, while being acceptable to customers. Unlike CAP, as transaction details are encoded in a visual cryptogram, the user does not have to re-enter them into the trusted device, increasing speed, reducing errors and mitigating security problems. Costs to the service provider are also reduced, and reliability improved, since unlike SMS-based two-channel authentication, no mobile phone network access is required.
Cronto have published a whitepaper “Beyond phishing – de-mystifying the growing threat of Internet banking fraud”, discussing the threat of Man in the Middle and Man in the Middle attacks in more detail.
Securing personal financial transactions online and all that comes with it: trojans and man-in-the-browser, e-banking and e-commerce, usability and scalability. By Igor Drokov, Elena Punskaya et al. at Cronto - the inventor of Visual Transaction Signing.